Hardening Server Window
-
Upload
benuborneo -
Category
Documents
-
view
216 -
download
0
Transcript of Hardening Server Window
8/21/2019 Hardening Server Window
http://slidepdf.com/reader/full/hardening-server-window 1/32
Server hardening
Server hardening consists of creating a baseline for the security on your servers in yourorganization. The default configurations of a Windows Server 2003 computer are not designedwith security as the primary focus. Rather, a default installed computer is designed for
communication and functionality. To protect your servers, you must establish solid andsophisticated security policies for all types of servers in your organization.
In this section, we will discuss the basic security baseline for a member server that is running ina Windows Server 2003 Active Directory domain. We will also discuss the best-practice securityconfigurations in the security templates, starting with the generic best practices that apply tomost member servers in the organization. We will then move on to the specific types of memberservers, as well as domain controllers. We will discuss which services, ports, applications, and soforth need to be hardened for different server roles, and compare this to the baseline security forsimple member servers.
TABLE OF CONTENTS Member servers Domain controllers File and print servers Web servers
Member servers
You must establish a baseline of security for all members servers before creating additionalsecurity templates and policies to tailor security for specific types of servers. One of the mostimportant aspects of applying hardening settings to member servers is developing the OUhierarchy that will support the security template and policies that you develop. You must alsounderstand the various levels of security that are routinely used to develop and deploy security toall servers.
OU design considerations
The only way to efficiently and successfully deploy security to the different server roles in your
enterprise is to design Active Directory to support those roles. The design should not only provide an efficient method to deploy security, but it should also organize the computer accountsinto OUs for easier management and troubleshooting.
Although Active Directory design is extremely flexible, you must consider a number of factorswhen organizing servers into OUs based on server role. The first factor is Group Policyapplication. For example, if you have two server roles that each need different security policysettings, you should separate the computer accounts into different OUs. The second factor is
8/21/2019 Hardening Server Window
http://slidepdf.com/reader/full/hardening-server-window 2/32
administration of the computer accounts within Active Directory. Even though you have onlytwo different server roles, you might have two different administrators controlling the same typeof server role. This might force you to have OUs not only for server roles, but also for serverroles based on the administrator in charge.
Figures 5-7 illustrates an OU structure that does not consider location or administrative needs butdoes consider server roles. Figure 5-8 illustrates an OU structure that has a different set ofadministrators for the Main Office and Branch Office, where each office also has the same typesof server roles.
8/21/2019 Hardening Server Window
http://slidepdf.com/reader/full/hardening-server-window 3/32
Figure 5-7: An OU structure based on server roles only
8/21/2019 Hardening Server Window
http://slidepdf.com/reader/full/hardening-server-window 4/32
8/21/2019 Hardening Server Window
http://slidepdf.com/reader/full/hardening-server-window 5/32
Figure 5-8: An OU structure that considers location and administrative needs as well as
server roles
TIP OUs are also commonly organized by physical location -- for example, the Main Officeand Branch Office model. For more information on organizing OUs based on GPOdeployment, see Chapter 4.
Member server security environment levels
Member server security environments are based on the operating systems of the clients andservers in your enterprise. Legacy clients and servers can't take advantage of the robust featuresand functions that Active Directory provides, such as Group Policy, Kerberos, and other securityfeatures. As the operating systems of domain members rise to levels that support all ActiveDirectory functions and features, it becomes possible to raise the overall security for theenterprise and thus create a solid security environment.
There are three different security environment levels typically found in an enterpriseenvironment:
Legacy Client When you have a mixed operating system environment of new and olderversions, you must provide adequate security that will not constrain the operation oflegacy clients. This is the lowest security level, but it needs to be that way forcommunication to occur and legacy applications to work properly. This businessenvironment might include legacy clients such as Windows 95, Windows 98, orWindows NT 4.0 Workstation. You should limit this environment to having onlyWindows 2000 Server and Windows Server 2003 domain controllers. You should notsupport Windows NT 4.0 Server domain controllers, although you can have Windows NTServer computers configured as member servers.
Enterprise Client This security level removes the legacy operating systems and usesonly those that support the features and functions that Active Directory offers. Thisincludes clients running Windows 2000 Professional and Windows XP Professional.These clients all support Group Policy, Kerberos authentication, and new securityfeatures that the legacy clients don't support. The domain controllers must be Windows2000 Server or later. There will not be any Windows NT Server computers, even asmember servers.
8/21/2019 Hardening Server Window
http://slidepdf.com/reader/full/hardening-server-window 6/32
High Security This security level is basically the same as for Enterprise Client -- itchanges only the level of security that is implemented. This level enhances securitystandards so that all computers conform to stringent security policies for both clients andservers. This environment might be constrictive enough that loss of functionality andmanageability occurs. However, this must be acceptable because the higher security
levels are a good tradeoff for the functionality and manageability that you are losing.
"Windows Server 2003 Security Guide" The three enterprise environments described earlier and the procedures outlined in this chapterfor hardening different server roles in each environment are discussed more fully in theWindows Server 2003 Security Guide. The Security Guide also includes a set of additionalsecurity templates that can be imported into GPOs to harden different server roles in legacyclient, enterprise client, and high security environments. It also includes additional procedures
for hardening security settings that cannot be configured using Group Policy. Using theseadditional security templates can simplify the hardening of different server roles on yournetwork, and you can further customize these security templates to meet the specific needs ofyour Active Directory environment.
Security settings for member servers
This section will cover some common security settings that apply to standard member servers inthe domain. These settings are best created in a GPO that is then linked to the top-level serverOU. In Figure 5-7 or 5-8, this would be the Member Servers OU.
Table 5-7 provides a full list of security settings for a member server.
NOTE Account Policies, which include Password Policy, Account Lockout Policy, andKerberos Policy, are not specified in the member servers security baseline outlined here. Thisis because Account Policies must be defined at the domain level in Active Directory, while themember servers security baseline is defined in GPOs linked to OUs where member servers arefound. For best practices concerning domain Account Policies, see "Account Policies" under"Sections of the Security Template" earlier in this chapter, and also refer to the WindowsServer 2003 Security Guide described in the "Windows Server 2003 Security Guide" sidebar.
Table 5-7 Security settings for member servers
Security Setting Legacy Client
Configuration Enterprise Client
Configuration High Security
Configuration
8/21/2019 Hardening Server Window
http://slidepdf.com/reader/full/hardening-server-window 7/32
Auditing
Account LogonEvents
SuccessFailure
SuccessFailure
SuccessFailure
Account Management SuccessFailure SuccessFailure SuccessFailure
Directory ServiceAccess
SuccessFailure
SuccessFailure
SuccessFailure
Logon EventsSuccessFailure
SuccessFailure
SuccessFailure
Object AccessSuccessFailure
SuccessFailure
SuccessFailure
Policy Change Success Success Success
Privilege Use No Auditing FailureSuccessFailure
Process Tracking No Auditing No Auditing No Auditing
System Events Success Success Success
Security Setting Legacy Client
Configuration Enterprise Client
Configuration High Security
Configuration
User Rights
Access this computerfrom the network
Not Defined(Use defaults)
Not defined(Use defaults)
Administrators,AuthenticatedUsers
Act as part of the
operating system
Not Defined
(Use defaults)
Not defined
(Use defaults)
Revoke all security
groups andaccounts
Add workstationsto domain
Not Defined(Use defaults)
Not defined(Use defaults)
Administrators
Adjust memoryquotas for a process
Not Defined(Use defaults)
Not defined(Use defaults)
Administrators, NETWORKSERVICE,
8/21/2019 Hardening Server Window
http://slidepdf.com/reader/full/hardening-server-window 8/32
LOCAL SERVICE
Allow log on locallyAdministrators,Backup Operators,Power Users
Administrators,Backup Operators,Power Users
Administrators,Backup Operators,Power Users
Allow log on throughTerminal Services
Administrators,Remote DesktopUsers
Administrators,Remote DesktopUsers
Administrators
Change thesystem time
Not Defined(Use defaults)
Not Defined(Use defaults)
Administrators
Debug programsRevoke all securitygroups andaccounts
Revoke all securitygroups andaccounts
Revoke all securitygroups andaccounts
Deny access to thiscomputer fromthe network
ANONYMOUS
LOGON; Built-inAdministrator,Guests;SUPPORT_388945a0;
Guest; all NON-Operating Systemservice accounts
ANONYMOUS
LOGON; Built-inAdministrator,Guests;SUPPORT_388945a0;
Guest; all NON-Operating Systemservice accounts
ANONYMOUS
LOGON; Built-inAdministrator,Guests;SUPPORT_388945a0;
Guest; all NON-Operating Systemservice accounts
Deny log on
as a batch job
Guests; Support_
388945a0; Guest
Guests; Support_
388945a0; Guest
Guests; Support_
388945a0; Guest
Deny log onTerminal Services
Built-in Adminis-trator; Guests;Support_388945a0;Guest; all NON-operating systemservice accounts
Built-in Adminis-trator; Guests;Support_388945a0;Guest; all NON-operating systemservice accounts
Built-in Adminis-trator; Guests;Support_388945a0;Guest; all NON-operating systemservice accounts
Enable computer anduser accounts to betrusted for delegation
Not Defined(Use defaults)
Not Defined(Use defaults)
Revoke all securitygroups andaccounts
Force shutdown froma remote system
Not Defined(Use defaults)
Not Defined(Use defaults)
Administrators
Generate securityaudits
Not Defined Not Defined NETWORKSERVICE,LOCAL SERVICE
8/21/2019 Hardening Server Window
http://slidepdf.com/reader/full/hardening-server-window 9/32
Impersonate a clientafter authentication
Not Defined(Use defaults)
Not Defined(Use defaults)
Local Service; Network Service
Increase scheduling priority
Not Defined(Use defaults)
Not Defined(Use defaults)
Administrators
Load and unloaddevice drivers
Not Defined(Use defaults)
Not Defined(Use defaults)
Administrators
Lock pages inmemory
Not Defined(Use defaults)
Not Defined(Use defaults)
Administrators
Log on as a batch job
Not Defined(Use defaults)
Not Defined(Use defaults)
Revoke all securitygroups andaccounts
Manage auditingand security log
Not Defined(Use defaults)
Not Defined(Use defaults)
Administrators
Modify firmwareenvironment values
Not Defined(Use defaults)
Not Defined(Use defaults)
Administrators
Perform volumemaintenance tasks
Not Defined(Use defaults)
Not Defined(Use defaults)
Administrators
Profile single process
Not Defined(Use defaults)
Not Defined(Use defaults)
Administrators
Profile system performance
Not Defined(Use defaults)
Not Defined(Use defaults)
Administrators
Remove computerfrom docking station
Not Defined(Use defaults)
Not Defined(Use defaults)
Administrators
Replace a processlevel token
Not Defined(Use defaults)
Not Defined(Use defaults)
LOCALSERVICE, NETWORKSERVICE
Restore files anddirectories
Not Defined(Use defaults)
Administrators Administrators
Shut down thesystem
Not Defined(Use defaults)
Not Defined(Use defaults)
Administrators
Synchronize directoryservice data
Not Defined(Use defaults)
Not Defined(Use defaults)
Revoke all securitygroups andaccounts
Take ownership offiles or other objects
Not Defined(Use defaults)
Not Defined(Use defaults)
Administrators
8/21/2019 Hardening Server Window
http://slidepdf.com/reader/full/hardening-server-window 10/32
Security Setting Legacy Client
Configuration Enterprise Client
Configuration High Security
Configuration
Security Options
Accounts: Guestaccount status
Disabled Disabled Disabled
Accounts: Limitlocal account useof blank passwords
to console logon
Enabled Enabled Enabled
Audit: Audit theaccess of globalsystem objects
Disabled Disabled Disabled
Audit: Audit the useof Backup andRestore privilege
Disabled Disabled Disabled
Audit: Shut downsystem immediately
if unable to logsecurity audits
Disabled Disabled Enabled
Devices: Allowundock withouthaving to log on
Disabled Disabled Disabled
Devices: Allowed toformat and ejectremovable media
Administrators Administrators Administrators
Devices: Prevent
users from installing printer drivers
Enabled Enabled Enabled
Devices: RestrictCD-ROM access tolocally logged -- onuser only
Not Defined(Use defaults)
Not Defined(Use defaults)
Enabled
8/21/2019 Hardening Server Window
http://slidepdf.com/reader/full/hardening-server-window 11/32
Devices: Restrictfloppy access tolocallylogged -- on user only
Not Defined(Use defaults)
Not Defined(Use defaults)
Enabled
Devices: Unsigneddriver installation behavior
Warn but allowinstallation
Warn but allowinstallation
Warn but allowinstallation
Domain controller:Allow serveroperatorsto schedule tasks
Disabled Disabled Disabled
Domain controller:LDAP server signingrequirements
Not Defined(Use defaults)
Not Defined(Use defaults)
Require Signing
Domain controller:Refuse machineaccount passwordchanges
Disabled Disabled Disabled
Domain member:Digitally encrypt orsign secure channeldata (always)
Disabled Enabled Enabled
Domain member:
Digitally encryptsecure channel data(when possible)
Enabled Enabled Enabled
Domain member:Digitally sign securechannel data (when possible)
Enabled Enabled Enabled
Domain member:Disable machineaccount password
changes
Disabled Disabled Disabled
Domain member:Maximum machineaccount password age
30 days 30 days 30 days
Domain member:Require strong
Enabled Enabled Enabled
8/21/2019 Hardening Server Window
http://slidepdf.com/reader/full/hardening-server-window 12/32
(Windows 2000 orlater) session key
Interactive logon:Do not display lastuser name
Enabled Enabled Enabled
Interactive logon:Do not requireCTRL+ALT+DEL
Disabled Disabled Disabled
Interactive logon:Message text forusers attemptingto log on
This system isrestricted to autho-rized users. Indivi-duals attemptingunauthorized accesswill be prosecuted.
If unauthorized,terminate accessnow! Clicking onOK indicates youracceptance of theinformation inthe background.
This system isrestricted to autho-rized users. Indivi-duals attemptingunauthorized accesswill be prosecuted.
If unauthorized,terminate accessnow! Clicking onOK indicates youracceptance of theinformation inthe background.
This system isrestricted to autho-rized users. Indivi-duals attemptingunauthorized accesswill be prosecuted.
If unauthorized,terminate accessnow! Clicking onOK indicates youracceptance of theinformation inthe background.
Interactive logon:Message title forusers attempting to
log on
IT IS AN OFFENSETO CONTINUEWITHOUTPROPERAUTHORIZATION
IT IS AN OFFENSETO CONTINUEWITHOUTPROPERAUTHORIZATION
IT IS AN OFFENSETO CONTINUEWITHOUTPROPERAUTHORIZATION
Interactive logon: Number of previouslogons to cache (incase domaincontrolleris not available)
1 0 0
Interactive logon:Prompt user to
change password before expiration
14 days 14 days 14 days
Interactive logon:Require DomainController authenti-cation to unlockworkstation
Enabled Enabled Enabled
8/21/2019 Hardening Server Window
http://slidepdf.com/reader/full/hardening-server-window 13/32
Interactive logon:Smart card removal behavior
Not Defined(Use defaults)
Lock Workstation Lock Workstation
Microsoft networkclient: Digitally signcommunications(always)
Disabled Enabled Enabled
Microsoft networkclient: Digitally signcommunications(if server agrees)
Enabled Enabled Enabled
Microsoft networkclient: Sendunencrypt-
ed password to third- party SMB servers
Disabled Disabled Disabled
Microsoft networkserver: Amount ofidletime required beforesuspending session
15 minutes 15 minutes 15 minutes
Microsoft networkserver: Digitally signcommunications
(always)
Disabled Enabled Enabled
Microsoft networkserver: Digitally signcommunications(if client agrees)
Enabled Enabled Enabled
Microsoft networkserver: Disconnectclients when logonhours expire
Enabled Enabled Enabled
Network access: Donot allow anonymousenumeration of SAMaccounts
Enabled Enabled Enabled
Network access: Donot allow anonymousenumeration of SAM
Enabled Enabled Enabled
8/21/2019 Hardening Server Window
http://slidepdf.com/reader/full/hardening-server-window 14/32
accounts and shares
Network access: Donot allow storage ofcredentials or .NETPassports for networkauthentication
Enabled Enabled Enabled
Network access: LetEveryone permissionsapply to anonymoususers
Disabled Disabled Disabled
Network access: Named Pipes that can be accessedanonymously
None None None
Network access:Remotely accessibleregistry paths
System\CurrentControlSet\Control\ProductOptions;System\CurrentControlSet\Control\Server Applications;Software\Microsoft\Windows NT\CurrentVersion
System\CurrentControlSet\Control\ProductOptions;System\CurrentControlSet\Control\Server Applications;Software\Microsoft\Windows NT\CurrentVersion
System\CurrentControlSet\Control\ProductOptions;System\CurrentControlSet\Control\Server Applications;Software\Microsoft\Windows NT\CurrentVersion
Network access:
Remotelyaccessibleregistry pathsand sub-paths
System\CurrentControlSet\Control\Print\Printers
System\CurrentControlSet\Control\Print\Printers
System\CurrentControlSet\Control\Print\Printers
System\CurrentControlSet\Services\Eventlog
System\CurrentControlSet\Services\Eventlog
System\CurrentControlSet\Services\Eventlog
System\CurrentControlSet\Services\Eventlog
Software\Microsoft\OLAP Server
System\CurrentControlSet\Services\Eventlog
Software\Microsoft\OLAP Server
System\CurrentControlSet\Services\Eventlog
Software\Microsoft\OLAP Server
Software\Microsoft\ Software\Microsoft\ Software\Microsoft\
8/21/2019 Hardening Server Window
http://slidepdf.com/reader/full/hardening-server-window 15/32
Windows NT\CurrentVersion\Print
Windows NT\CurrentVersion\Print
Windows NT\CurrentVersion\Print
Software\Microsoft\Windows NT\
CurrentVersion\Windows
Software\Microsoft\Windows NT\
CurrentVersion\Windows
Software\Microsoft\Windows NT\
CurrentVersion\Windows
System\CurrentControlSet\Control\ContentIndex
System\CurrentControlSet\Control\ContentIndex
System\CurrentControlSet\Control\ContentIndex
System\CurrentControlSet\Control\Terminal Server
System\CurrentControlSet\Control\Terminal Server
System\CurrentControlSet\Control\Terminal Server
System\CurrentControlSet\Control\Terminal Server\UserConfig
System\CurrentControlSet\Control\Terminal Server\UserConfig
System\CurrentControlSet\Control\Terminal Server\UserConfig
System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration
System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration
System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration
Software\Microsoft\Windows NT\CurrentVersion\Perflib
Software\Microsoft\Windows NT\CurrentVersion\Perflib
Software\Microsoft\Windows NT\CurrentVersion\Perflib
System\CurrentControlSet\Services\SysmonLog
System\CurrentControlSet\Services\SysmonLog
System\CurrentControlSet\Services\SysmonLog
Network access:
Restrict anonymousaccess to NamedPipes and Shares
Enabled Enabled Enabled
Network access:Shares that can beaccessedanonymously
None None None
8/21/2019 Hardening Server Window
http://slidepdf.com/reader/full/hardening-server-window 16/32
Network access:Sharing and securitymodel for localaccounts
Classic -- localusers authenticateas themselves
Classic -- localusers authenticateas themselves
Classic -- localusers authenticateas themselves
Network security:Do not store LANManager hash valueon next passwordchange
Enabled Enabled Enabled
Network security:LAN Managerauthentication level
Send NTLMv2responses only
Send NTLMv2response only/refuse LM
Send NTLMv2response only/refuse LM and NTLM
Network security:
LDAP client signingrequirements
Negotiate signing Negotiate signing Negotiate signing
Network security:Minimum sessionsecurity for NTLMSSP based (includingsecure RPC) clients
No minimum Enabled all settings Enabled all settings
Network security:
Minimum sessionsecurity for NTLMSSP based (includingsecure RPC) servers
No minimum Enabled all settings Enabled all settings
Recovery console:Allow automaticadministrative logon
Disabled Disabled Disabled
Recovery console:Allow floppy copy
and access to alldrivesand all folders
Enabled Enabled Disabled
Shutdown: Allowsystemto be shut down with-out having to log on
Disabled Disabled Disabled
8/21/2019 Hardening Server Window
http://slidepdf.com/reader/full/hardening-server-window 17/32
Shutdown: Clearvirtualmemory page file
Disabled Disabled Enabled
System cryptography:Force strong key pro-tection for user keysstored on thecomputer
User is promptedwhen the key isfirst used
User is promptedwhen the key isfirst used
User must enter a password each timethey use a key
System cryptography:Use FIPS compliantalgorithms forencryption, hashing,and signing
Disabled Disabled Disabled
System objects:
Default owner forobjects created bymembers of theAdministrators group
Object creator Object creator Object creator
System objects:Require caseinsensitivity for non-Windows subsystems
Enabled Enabled Enabled
System objects:Strengthen default
permissions ofinternalsystem objects (suchas Symbolic Links)
Enabled Enabled Enabled
System settings:Optional subsystem
None None None
Security Setting Legacy Client
Configuration Enterprise Client
Configuration High Security
Configuration
Event Log
Maximum application 16,384 KB 16,384 KB 16,384 KB
8/21/2019 Hardening Server Window
http://slidepdf.com/reader/full/hardening-server-window 18/32
log size
Maximum securitylog size
81,920 KB 81,920 KB 81,920 KB
Maximum system
log size 16,384 KB 16,384 KB 16,384 KB
Prevent local guestsgroup from accessingapplication log
Enabled Enabled Enabled
Prevent local guestsgroup from accessingsecurity log
Enabled Enabled Enabled
Prevent local guestsgroup from accessing
system log
Enabled Enabled Enabled
Retention method forapplication log
As needed As needed As needed
Retention method forsecurity log
As needed As needed As needed
Retention method forsystem log
As needed As needed As needed
Security Setting Legacy Client
Configuration Enterprise Client
Configuration High Security
Configuration
System Services
Alerter Disabled Disabled Disabled
Application LayerGateway Service Disabled Disabled Disabled
ApplicationManagement
Disabled Disabled Disabled
ASP.NET State Service Disabled Disabled Disabled
Automatic Updates Automatic Automatic Automatic
8/21/2019 Hardening Server Window
http://slidepdf.com/reader/full/hardening-server-window 19/32
Background IntelligentTransfer Service
Manual Manual Manual
Certificate Services Disabled Disabled Disabled
MS Software Shadow
Copy Provider Manual Manual Manual
Client Service for Netware
Disabled Disabled Disabled
ClipBook Disabled Disabled Disabled
Cluster Service Disabled Disabled Disabled
COM+ Event System Manual Manual Manual
COM+ System
Application
Disabled Disabled Disabled
Computer Browser Automatic Automatic Automatic
CryptographicServices
Automatic Automatic Automatic
DHCP Client Automatic Automatic Automatic
DHCP Server Disabled Disabled Disabled
Distributed LinkTracking Client
Disabled Disabled Disabled
Distributed LinkTracking Server
Disabled Disabled Disabled
DistributionTransactionCoordinator
Disabled Disabled Disabled
DNS Client Automatic Automatic Automatic
DNS Server Disabled Disabled Disabled
Error ReportingService Disabled Disabled Disabled
Event Log Automatic Automatic Automatic
Fax Service Disabled Disabled Disabled
File Replication Disabled Disabled Disabled
8/21/2019 Hardening Server Window
http://slidepdf.com/reader/full/hardening-server-window 20/32
File Server forMacintosh
Disabled Disabled Disabled
FTP Publishing Disabled Disabled Disabled
Help and Support Disabled Disabled Disabled
HTTP SSL Disabled Disabled Disabled
Human InterfaceDevice Access
Disabled Disabled Disabled
IAS Jet DatabaseAccess
Disabled Disabled Disabled
IIS Admin Service Disabled Disabled Disabled
IIS IMAPI CD-Burning
COM Service
Disabled Disabled Disabled
Indexing Service Disabled Disabled Disabled
Infrared Monitor Disabled Disabled Disabled
Internet AuthenticationService
Disabled Disabled Disabled
Internet ConnectionFirewall (ICF)/InternetConnection Sharing(ICS)
Disabled Disabled Disabled
Intersite Messaging Disabled Disabled Disabled
IP Version 6 HelperService
Disabled Disabled Disabled
IPSec Policy Agent(IPSec Service)
Automatic Automatic Automatic
Kerberos KeyDistribution Center
Disabled Disabled Disabled
License LoggingService
Disabled Disabled Disabled
Logical Disk Manager Manual Manual Manual
Logical Disk ManagerAdministrative Service
Manual Manual Manual
Message Queuing Disabled Disabled Disabled
8/21/2019 Hardening Server Window
http://slidepdf.com/reader/full/hardening-server-window 21/32
Message QueuingDown Level Clients
Disabled Disabled Disabled
Message QueuingTriggers
Disabled Disabled Disabled
Messenger Disabled Disabled Disabled
Microsoft POP3 Service Disabled Disabled Disabled
MSSQL$UDDI Disabled Disabled Disabled
MSSQLServerADHelper Disabled Disabled Disabled
.NET FrameworkSupport Service
Disabled Disabled Disabled
Netlogon Automatic Automatic Automatic
NetMeeting RemoteDesktop Sharing
Disabled Disabled Disabled
Network Connections Manual Manual Manual
Network DDE Disabled Disabled Disabled
Network DDE DSDM Disabled Disabled Disabled
Network LocationAwareness (NLA)
Manual Manual Manual
Nework News TransportProtocol (NNTP)
Disabled Disabled Disabled
NTLM SupportProvider
Automatic Automatic Automatic
Performance Logsand Alerts
Manual Manual Manual
Plug and Play Automatic Automatic Automatic
Portable Media
Serial NumberDisabled Disabled Disabled
Printer Server forMacintosh
Disabled Disabled Disabled
Print Spooler Disabled Disabled Disabled
Protected Storage Automatic Automatic Automatic
8/21/2019 Hardening Server Window
http://slidepdf.com/reader/full/hardening-server-window 22/32
Remote Access AutoConnection Manager
Disabled Disabled Disabled
Remote AccessConnection Manager
Disabled Disabled Disabled
Remote AdministrationService
Manual Manual Manual
Remote Desktop HelperSession Manager
Disabled Disabled Disabled
Remote Installation Disabled Disabled Disabled
Remote ProcedureCall (RPC)
Automatic Automatic Automatic
Remote Procedure
Call (RPC) LocatorDisabled Disabled Disabled
Remote Registry Service Automatic Automatic Automatic
Remote ServerManager
Disabled Disabled Disabled
Remote ServerMonitor
Disabled Disabled Disabled
Remote Storage Notification
Disabled Disabled Disabled
Remote Storage Server Disabled Disabled Disabled
Removable Storage Manual Manual Manual
Resultant Set of PolicyProvider
Disabled Disabled Disabled
Routing and RemoteAccess
Disabled Disabled Disabled
SAP Agent Disabled Disabled Disabled
Secondary Logon Disabled Disabled Disabled
Security AccountsManager
Automatic Automatic Automatic
Server Automatic Automatic Automatic
Shell HardwareDetection
Disabled Disabled Disabled
8/21/2019 Hardening Server Window
http://slidepdf.com/reader/full/hardening-server-window 23/32
Simple Mail TransportProtocol (SMTP)
Disabled Disabled Disabled
Simple TCP/IP Services Disabled Disabled Disabled
Single InstanceStorage Groveler Disabled Disabled Disabled
Smart Card Disabled Disabled Disabled
SNMP Service Disabled Disabled Disabled
SNMP Trap Service Disabled Disabled Disabled
Special AdministrationConsole Helper
Disabled Disabled Disabled
System Event
Notification Automatic Automatic Automatic
Task Scheduler Disabled Disabled Disabled
TCP/IP NetBIOSHelper Service
Automatic Automatic Automatic
TCP/IP Print Server Disabled Disabled Disabled
Telephony Disabled Disabled Disabled
Telnet Disabled Disabled Disabled
Terminal Services Automatic Automatic Automatic
Terminal ServicesLicensing
Disabled Disabled Disabled
Terminal ServicesSession Directory
Disabled Disabled Disabled
Themes Disabled Disabled Disabled
Trival FTP Daemon Disabled Disabled Disabled
UninterruptiblePower Supply Disabled Disabled Disabled
Upload Manager Disabled Disabled Disabled
Virtual Disk Service Disabled Disabled Disabled
Volume Shadow Copy Manual Manual Manual
8/21/2019 Hardening Server Window
http://slidepdf.com/reader/full/hardening-server-window 24/32
WebClent Disabled Disabled Disabled
Web Element Manager Disabled Disabled Disabled
Windows Audio Disabled Disabled Disabled
Windows ImageAcquisition (WIA)
Disabled Disabled Disabled
Windows Installer Automatic Automatic Automatic
Windows Internet Name Service (WINS)
Disabled Disabled Disabled
Windows ManagementInstrumentation
Automatic Automatic Automatic
Windows Management
Instrumentation DriverExtensions Manual Manual Manual
Windows MediaServices
Disabled Disabled Disabled
Windows SystemResource Manager
Disabled Disabled Disabled
Windows Time Automatic Automatic Automatic
WinHTTP Web ProxyAuto-DiscoveryService
Disabled Disabled Disabled
Wireless Configuration Disabled Disabled Disabled
WMI PerformanceAdapter
Manual Manual Manual
Workstation Automatic Automatic Automatic
World Wide PublishingService
Disabled Disabled Disabled
Ports required for member servers
For a member server to function on the network with other computers, specific ports must beopened. Table 5-8 presents a list of those critical ports. As we investigate specific server roles,additional ports will need to be added to ensure the server functions properly.
Table 5-8 Ports for member servers
8/21/2019 Hardening Server Window
http://slidepdf.com/reader/full/hardening-server-window 25/32
Port Description
137 (NetBIOS nameservice)
Used by the browse master service. This must be openfor WINS and browse master servers.
138 (NetBIOS datagramservice)
Must be open to accept inbound datagrams from NetBIOSapplications such as the Messenger service or theComputer Browser service.
139 (NetBIOS sessionservice)
Must be closed unless you run applications or operatingsystems that need to support Windows networking (SMB)connections. If you run Windows NT 4.0, WindowsMillennium Edition, Windows 98, or Windows 95, this port must be open on your servers.
445 (CIFS/SMB server)Used by basic Windows networking, including file sharing, printer sharing, and remote administration.
3389 (Remote DesktopProtocol)
Must be open if you are using Terminal Services for appli-cation sharing, remote desktop, or remote assistance.
Domain controllers Return to Table of
Contents
Domain controllers are the heart of any environment that runs Active Directory. Thesecomputers must be stable, protected, and available to provide the key services for the directoryservice, user authentication, resource access, and more. If there is any loss or compromise of adomain controller in the environment, the result can be disastrous for clients, servers, andapplications that rely on domain controllers for authentication, Group Policy, and the LDAPdirectory.
Not only should these domain controllers be hardened with security configurations, they mustalso be physically secured in locations that are accessible only to qualified administrative staff. Ifdomain controllers are stored in unsecured locations due to limitations of the facility (such as in a branch office), you should apply additional security configurations to limit the potential damagefrom physical threats against the computer.
Domain controller security environment levels
8/21/2019 Hardening Server Window
http://slidepdf.com/reader/full/hardening-server-window 26/32
Along the same lines as the Member Server hardening guidelines, domain controllers also havedifferent levels of security based on the environment in which they are deployed. These levelsare the same as those defined in the "Member Servers" section in this chapter: Legacy Client,Enterprise Client, and High Security.
Security settings for domain controllers
Security settings that apply specifically to domain controllers are best created in a GPO that isthen linked to the Domain Controllers OU. The settings for domain controllers should be basedon those we reviewed in the earlier "Member Servers" section. Of course, a domain controlleralso has additional functions or features compared to a member server, and this requiresadditional open ports and security configuration. You must review the security settings list toensure that you are not restricting a key feature for your domain controller.
Table 5-9 lists the settings that differ from those specified in Table 5-7. In other words, the baseline security settings for domain controllers as outlined below should be incrementally added
to the baseline security settings for member servers described previously.
MORE INFO For more information on hardening domain controllers in different enterpriseenvironments, see the Windows Server 2003 Security Guide.
Table 5-9 Security settings for domain controllers
Security Setting Legacy Client
Configuration Enterprise Client
Configuration High Security
Configuration
User Rights
Access this
computer fromthe network
Not Defined(Use defaults)
Not Defined(Use defaults)
Administrators,AuthenticatedUsers,ENTERPRISEDOMAINCONTROLLERS
Add workstationsto domain
Administrators Administrators Administrators
Allow log on locally Administrators Administrators Administrators
8/21/2019 Hardening Server Window
http://slidepdf.com/reader/full/hardening-server-window 27/32
Allow log on throughTerminal Services
Administrators Administrators Administrators
Change thesystem time
Administrators Administrators Administrators
Enable computerand user accountsto be trusted fordelegation
Not Defined(Use defaults)
Not Defined(Use defaults)
Administrators
Load and unloaddevice drivers
Administrators Administrators Administrators
Restore files anddirectories
Administrators Administrators Administrators
Shutdown thesystem Administrators Administrators Administrators
Security Setting Legacy Client
Configuration Enterprise Client
Configuration High Security
Configuration
Security Options Network security:Do not store LANManager hash valueon next passwordchange
Disabled Enabled Enabled
Security Setting Legacy Client
Configuration Enterprise Client
Configuration High Security
Configuration
System Services
Distributed FileSystem
Automatic Automatic Automatic
8/21/2019 Hardening Server Window
http://slidepdf.com/reader/full/hardening-server-window 28/32
DNS Server Automatic Automatic Automatic
File Replication Automatic Automatic Automatic
Intersite Messaging Automatic Automatic Automatic
Kerberos KeyDistribution Center
Automatic Automatic Automatic
Remote ProcedureCall (RPC) Locator
Automatic Automatic Automatic
Ports required for domain controllers
Domain controllers are responsible for specific functions, as seen in the different settings listedin Table 5-9. Many of these different security template settings are due to required services to
authenticate users and maintain consistency of the Active Directory database between otherdomain controllers. Table 5-10 lists additional ports that you must open for domain controllers.
Table 5-10 Ports for domain controllers
Port Description
88 (Kerberos)The Kerberos protocol is used by Windows 2000 and lateroperating systems to log on and retrieve tickets for accessingother servers.
123 (NTP) This port provides time synchronization for network clientsusing the Network Time Protocol (NTP).
135 (RPC endpointmapper/DCOM)
This port allows RPC clients to discover the ports that the RPCserver is listening on.
389 (LDAP)This port the primary way that clients access Active Directoryto obtain user information, e-mail addresses, services, andother directory service information.
464 (KerberosPassword Changes)
This port provides secure methods for users to change passwords using Kerberos.
636 (LDAP over SSL)This port is needed if LDAP will use SSL to provideencryptionand mutual authentication for LDAP traffic.
3268 (Global Catalog)This port provides the means for clients to search ActiveDirectory information that spans multiple domains.
3269 (Global Catalog This port is needed because the Global Catalog uses SSL to
8/21/2019 Hardening Server Window
http://slidepdf.com/reader/full/hardening-server-window 29/32
over SSL) provide encryption and mutual authentication for GlobalCatalog traffic.
NOTE If your domain controller is running DNS, you will need to also open port 53.
File and print servers
File and print servers are responsible for resource storage and controlling access to theseresources throughout the enterprise. These servers house the company's documents, trade secrets,financial data, and much more. If these computers are not protected, the entire company might bein jeopardy. These computers must be stable, protected, and available to provide users andapplications access to resources stored on these computers.
Like the domain controllers, these servers must be physically protected. If someone were to gethold of a file server, they could potentially use other tools to gain access to the resources on theserver. You should take action to protect against this.
Table 5-11 lists security settings for file and print servers that differ from the settings in theMember Servers section earlier in the chapter. In other words, the baseline security settings forfile and print servers as outlined here should be incrementally added to the baseline securitysettings for member servers described previously. These settings are best created in a GPO that isthen linked to the OU that contains the file servers.
MORE INFO For more information on hardening file and print servers in different
enterprise environments, see the Windows Server 2003 Security Guide.
Table 5-11 Security settings for file and print servers
Security Setting Legacy Client
Configuration Enterprise Client
Configuration High Security
Configuration
8/21/2019 Hardening Server Window
http://slidepdf.com/reader/full/hardening-server-window 30/32
Security Options
Microsoft networkserver:Digitally signcommuni-cations (always)
Disabled (PrintServers only)
Disabled (PrintServers only)
Disabled (PrintServers only)
Security Setting Legacy Client
Configuration Enterprise Client
Configuration High Security
Configuration
System Services
Distributed FileSystem
Disabled Disabled Disabled
File Replication Disabled Disabled Disabled
Print SpoolerAutomatic (PrintServers only)
Automatic (PrintServers only)
Automatic (PrintServers only)
Web servers
Microsoft Internet Information Services (IIS) is the service that provides Web services on aWindows server. Web servers must be properly secured from malicious attackers, while stillallowing legitimate clients to access intranet or public Web sites hosted on the server.
IIS is not installed by default on the Windows Server 2003 family of servers, and when you doinstall IIS, it installs in "locked" mode -- a highly secure mode that protects IIS against threats.Beyond the best-practice security settings presented in this section for IIS, be sure to protect yourWeb servers by monitoring security using some form of intrusion detection system, and by
implementing proper incident response procedures.
Security settings for Web servers
Security settings for Web servers are best created in a GPO that is then linked to the OU thatcontains the Web servers. Table 5-12 lists only the settings that differ from those in the Table 5-7. In other words, the baseline security settings for Web servers as outlined here should beincrementally added to the baseline security settings for member servers described previously.
8/21/2019 Hardening Server Window
http://slidepdf.com/reader/full/hardening-server-window 31/32
MORE INFO For more information on hardening Web servers in different enterpriseenvironments, see the Windows Server 2003 Security Guide.
Table 5-12 Security settings for Web servers
Security Setting Legacy Client
Configuration Enterprise Client
Configuration High Security
Configuration
User Rights
Deny access tothis computerfrom the network
ANONYMOUSLOGON; Built-in Administrator;Support_388945a0;Guest; all NON-Operating Systemservice accounts
ANONYMOUSLOGON; Built-in Administrator;Support_388945a0;Guest; all NON-Operating Systemservice accounts
ANONYMOUSLOGON; Built-in Administrator;Support_388945a0;Guest; all NON-Operating Systemservice accounts
System Services
HTTP SSL Automatic Automatic Automatic
IIS Admin Service Automatic Automatic Automatic
World Wide WebPublishing Service
Automatic Automatic Automatic
Ports required for Web servers
Web servers should have limited ports available, to reduce their exposure to attacks from thelocal network and the Internet. The fewer the ports that are open, the better. Table 5-13 is a list ofadditional ports that you will need to open for Web servers.
Table 5-13 Ports for Web servers
Ports Description
80 (HTTP)
The standard HTTP port for providing Web services to users. Thiscan be easily changed and is not required. If you do change the portfor HTTP, be sure to add that new port to this list and configurethat
8/21/2019 Hardening Server Window
http://slidepdf.com/reader/full/hardening-server-window 32/32
setting within IIS.
443 (HTTPS)Allows HTTP to have a higher level of security that providesintegrity,encryption, and authentication for Web traffic.